AWS EKS Prerequisites
This page outlines the prerequisite requirements for deploying Cortex DCI on a Kubernetes/EKS cluster using the "helm-only" deployment model.
For help with deploying your EKS cluster please refer to Amazon's documentation for EKS Kubernetes instantiation.
Basic Installation Prerequisites
- AWS subscription (Account ID)
- Valid SMTP credentials
- Domain name
- Cortex license and account name
- JWT and key for "docsToken"
- SSL certificate and any intermediate certificate with associated private key files signed by a trusted CA
- Utilities:
- aws-cli
- kubectl
- k9s
- helm
- jq
AWS Services
Cluster preparation is performed by a client-user with Sys Admin permissions and keys to their AWS account. This user must have access to the following Services mentioned below.
IAM Roles
- 3 Roles with the following policies attached to them must be provisioned.
- <rolename>-cluster: This Role will be required while creating the cluster. This role should have the following IAM policies attached to it namely.
- <rolename>-bastion: This Role will be assigned to the bastion hosts and will have admin privileges to the cluster. This role will have an inline policy attached to it.{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Action": "eks:*","Resource": "arn:aws:CLUSTER-ARN"}]}
- <rolename>-worker: This role will be assigned to the workers so that the workers are able to connect to the EKS cluster/master. The following policies are needed in order for our workers to connect to the master:
Network
VPC
The EKS cluster utilizes a VPC with an assigned /16 IPv4 CIDR block that can be subnetted into a network infrastructure that supports both public and private facing subnets.
The public subnets will be utilized to provide a subnet for both Internet-facing load balancers as well as NAT gateways.
For EKS/Kubernetes to properly identify the VPC, it must be tagged with the following to be discovered:
Key Value kubernetes.io/cluster/<cluster_name>
shared
Subnets
DCI EKS requires that /22 IPv4 CIDR subnets are in a minimum of three (3) Availability Zones within the same Region.
For EKS/Kubernetes to properly identify any subnets they must be tagged with the following to be discovered:
Key Value kubernetes.io/cluster/<cluster_name>
shared
For EKS/Kubernetes to properly identify any public subnets allowing them to be used for external load balancers they must be tagged with the following:
Key Value kubernetes.io/role/elb
1
Internet and NAT Gateway
To grant Internet access for the worker nodes in any of the private subnets a NAT gateway must be deployed in the public subnet with Internet routing handled by an Internet gateway.
EKS Cluster
EKS Worker Nodes
Launch Config
EKS worker node launch configuration that utilizes the following AMI and worker node minimum instance size m5.xlarge and a minimum root volume size of 50Gb:
AMI ID | AMI Name |
---|---|
ami-0e380e0a62d368837 | amazon-eks-node-1.12-v20190701 |
Auto Scaling Group
An Auto Scaling Group using the previously defined Launch Config and the following profile:
Instances | Min | Max | Availability Zones |
---|---|---|---|
4 | 4 | 10 | Same as subnets |
SSL Certificates
- Permissions to create a Load Balancer and configure target groups
- After creating a load balancer, create and provide cert and keys
- Provide five (5) targets to the base domain:
console.<cluster-name>.base-domain.
api.<cluster-name>.base-domain.
docs.<cluster-name>.base-domain.
marketplace.<cluster-name>.base-domain.
private-registry.<cluster-name>.base-domain.
Access to the Cluster.
Provide admin EKS permissions to CognitiveScale for access to the cluster.
Optional External Databases
Mongo cluster
- Connection string with username/password for Cortex install
- 3 databases in the cluster
- cortex-admin
- cortex-graph
- cortex-metrics
Redis cluster
Connection string with username/password for Cortex install
Rabbit cluster
Connection string with username/password for Cortex install
Postgres/RDS cluster
Connection string with username/password for Cortex install
elasticCache cluster
- Connection string with username/password for Cortex install OR
- Cluster API endpoint